Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Differential Power Analysis
Paul Kocher, Joshua Jaffe, and Benjamin Jun
Cryptography Research, Inc.
presented by Italo Dacosta
Tamper resistant devices• Tamper resistant microprocessors
– Store and process private or sensitive information
– The private information can not be extracted
• Smart Cards
– “Selfcontained microcontroller, with a microprocessor, memory and a serial interface integrated on to a single chip that is packaged in a plastic card”
– Used in banking applications,mobile phones, pay TV, etc.
Designing a secure smart card• Several people involved with different
assumptions– Algorithm designers– Protocol designers– Software developers– Hardware engineers
Algorithm designer assumption
from “Introduction to Differential Power Analysis and Related Attacks” by P. Kocher et al., Cryptography Research
• Typically, the algorithm is evaluated in isolation– Differential cryptanalysis– Linear cryptanalysis
Reality!
from “Introduction to Differential Power Analysis and Related Attacks” by P. Kocher et al., Cryptography Research
Reality – Side Channel Attacks• “A correct implementation of a strong protocol is not
necessarily secure”
• Failures can be cause by:– Defective computation
• D. Boneh, R. A. DeMillo, and R. J. Lipton, On the importance of checking cryptographic protocols for faults, EUROCRYPT '97
– Information leaked during secret key operations
– Timing information
– Invasive measuring techniques
– Electromagnetic emanations (i.e. TEMPEST)
Power analysis attacks• ICs are built out of invidual
transistors which consume power
• Monitoring and analysis of the power consumption of a device to extract the private information stored in it.
• Active, relatively cheap, noninvasive attack
Simple Power Analysis
• Focus on the use of visual inspection techniques to identify relevant power fluctuations during cryptographic operations
• Interpretation of power traces– Power consumption measurements taken across a
cryptographic operation– Typically current used by a device over time
SPA DES tracesSPA trace showing an entire DES operation
SPA trace showing DES rounds 2 and 3
SPA DES trace showing differences in power consumption of different microprocessor instructions
jump
no jump
SPA attack• SPA can reveal sequence of instructions executed
• It can be use to break cryptographic implementations in which the execution path depend on the data being processed– DES key schedule
– DES permutations
– Comparisons
– Multipliers
– Exponentiators
Preventing SPA• In general, techniques to prevent SPA are
fairly simple.– Avoid procedures that use secret intermediates
or keys for conditional branching operations– Hardwired implementations of symmetric
cryptography algorithms
Differential Power Analysis• Use of statistical analysis and error
correction techniques to extract information correlated to secret keys
• Based on the effects correlated to data values being manipulated.
• More powerful than SPA and is much more difficult to prevent
DPA basic idea• Data collection
– Capture power traces T1...m[1...k] containing k samples each
– Record the ciphertexts C1...m
– Knowledge of plaintext is not required
• Data analysis– DPA selection function D(C,b,Ks)→{0,1}
– Compute ksample differential trace ΔD[1...k], where:
DPA against DES• DPA selection function D(C,b,Ks) is defined as:
– Returning the value b of the DES intermediate L at the beginning of the 16th (0 <= b < 32 )
– C is the corresponding ciphertext
– Ks is the 6 key bits entering the Sbox corresponding to bit b (0 <= Ks < 26)
• Repeat procedure to find all Ks values (8) to get the entire 48 bit subkey
16th DES round
b Ks
Ks
C
C
C
DPA traces for DES
Power reference
Correct Ks
Incorrect Ks
1000 samples
Quantitative DPA measurements
Reference power consumption trace
Standard deviation
Differential trace(m=104)
More about DPA• Noise can be a problem
– Electronic radiation and thermal noise– Quantization errors– Uncorrected temporal misalignment
• DPA variations– Automated template DPA– Highorder DPA
DPA against other algorithms• In general, DPA can be used to break any
symmetric or asymmetric algorithm• Public key algorithms (i.e. RSA)
– Asymmetric operations tend to produce stronger signals leaking than symmetric ones
• Reverse engineering using DPA
Preventing DPA• Reduce signals size• Introducing noise into power
consumption measurements• Designing cryptosystems with
realistic assumptions about the underlying hardware.– Balanced HW and SW (i.e. leak tolerant design)
– Incorporating randomness
– Algorithm and protocollevel countermeasures
Take away• Power analysis techniques are of great concern:
multiple vulnerable devices, easy to implement, low cost, and difficult to detect.
• Systems must be designed with realistic assumptions taking into account all the components (algorithms, protocols, hardware, and software) and their interactions.
Questions?